Choicepoint

Top News

Data Breach Bill Would Preempt State Law, Weaken FCC Authority: Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks. (Mar. 13, 2015)

FTC Charges Data Broker with Theft: The Federal Trade Commission has brought a complaint against LeapLab, a commercial data broker. According to the complaint, LeapLab bought the payday loan applications of “financially strapped consumers,” and then sold the consumer information to marketers. At least one marketing company that purchased consumer information from LeapLab used that information to steal millions of dollars from consumers’ bank accounts. “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. Further, EPIC's complaint to the FTC against Choicepoint lead to a $10 million settlement. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (Jan. 2, 2015)

Senators Rockefeller and Markey Propose Data Broker Legislation: Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Feb. 13, 2014)

Senate Report Shines Light on How Data Brokers Operate: A Senate Committee Majority Staff report released today highlights the oft-concealed practices of Data Brokers. The report finds that data brokers lack transparency and collect sensitive personal information, while individuals lack basic rights to know what data is collected or how it is used. The brokers, the report notes, prevent business customers from revealing how data is obtained. The report also exposed how personal information is often used to target the financially vulnerable. Thus far, the data broker industry has largely escaped federal regulation. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 18, 2013)

FTC Chairwoman Calls for Transparency in Big Data: In a keynote speech at the Technology Policy Institute Aspen Forum, FTC Chairwoman Edith Ramirez called upon companies to "move their data collection and use practices out of the shadow and into the sunlight." Chairwoman Ramirez highlighted the risks of big data including indiscriminate collection, data breaches, and behind-the-scenes profiling. She stressed the importance of protecting consumers' privacy and said, "with big data comes big responsibility." EPIC previously testified before Congress and called for the regulation of data brokers because there is too much secrecy and too little accountability in their business practices. EPIC has also consistently recommended that the FTC enforce Fair Information Practices, such as those contained in the Administration's Consumer Privacy Bill of Rights, against commercial actors. For more information, see EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Aug. 19, 2013)

FTC Pursues Investigation of Data Brokers: The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 19, 2012)

Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices: Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Nov. 8, 2012)

Data Broker Merger Threatens Privacy.Reed-Elsevier, corporate parents of Lexis-Nexis, has made a move to acquire Choicepoint, the databroker. Consumer privacy will be seriously affected if the merger is approved without any privacy safeguards. The previous Google-Doubleclick merger involving two large databases of personal information similarly raised privacy as well as antitrust issues. Choicepoint is a large player in the commercial databroker market and has been the target of an EPIC privacy complaint and an FTC investigation and fine for the privacy harms its business practices cause. (February 21, 2008)

Coalition: Data Security Bills Fall Short. A coalition of privacy and consumer advocacy groups have called upon leaders of five Congressional committees to consider a strong privacy framework for data security. All the legislation being considered by Congress would roll back protections offered in states with security breach notice requirements, and many of the bills do not address the privacy problems raised by commercial data brokers. (November 9, 2007)

EPIC Testifies on Data Security Legislation. In testimony before the House Commerce Subcommittee on Consumer Protection, EPIC West Coast Director Chris Hoofnagle urged Congress to pass strong data security legislation that includes privacy protections for use of personal information. The hearing concerned bipartisan draft data security legislation that would require companies to give notice to consumers of security breaches. (Jul. 28, 2005)

Introduction and Background

ChoicePoint is an Alpharetta, Georgia-based company that sells information in three markets--insurance, business and government, and marketing. According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: "claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services..."

ChoicePoint has managed to attain a large share of the commercial data broker (CDB) market with strategic purchases of other businesses. Since its spinoff from Equifax in 1997, ChoicePoint has acquired a number of information collection and processing companies. These include:

An April 13, 2001 article in the Wall Street Journal reported that profiling company ChoicePoint provided personal information to at least thirty-five government agencies. EPIC has filed a series of Freedom of Information Act requests to determine the nature and amount of information sold to government. To date, EPIC has determined that ChoicePoint has several multi-million dollar contracts with law enforcement agencies to sell personal data.

ChoicePoint sells a wide array of information to the government, including:

Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse's name, address, previous address, phone number, Social Security number, and employer.

The ability to engage in "wildcard searches," which allows law enforcement to "obtain a comprehensive personal profile in a matter of minutes" with only a first name or partial address.

The use of "Soundex" queries, which allow searches on personal information based on how names sound, rather than how they are spelled.

Information on neighbors and family members of a suspect.

ChoicePoint's AutoTrackXP is one of the most favored CDB products. It provides an interface for additional data points, including:

Linkage services, which draw graphical relationships between suspects and other addresses, neighbors, and Social Security Numbers.

Public records, including Social Security Death Master Filings, bookings and arrests, liens, judgments, and bankruptcies.

Licenses, including drivers, pilots, and professional credentials.

Lists of residents of Georgia, New York, and Ohio.

National real-time phone directories and reverse look up services.

Business information, compiled nationwide from Secretaries of State.

"SmartSeach," a tool that allows broad wildcard searches: "There may be thousands of Jane Does, but there's probably only one Jane Doe who's between 25 and 30 and lives on the upper west side of Manhattan. SmartSearch makes it possible to find that one."

U.S. Military Personnel.

Boat owners.

At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the "Greatest Corporate Invader" award "for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials." At Privacy International's Big Brother Award ceremony held in Seattle, Washington in April 2005, ChoicePoint received the "Lifetime Menace Award" for its continued efforts to build dossiers on individuals.

FTC Investigation of Choicepoint

The Federal Trade Commission (FTC) is conducting an investigation of Choicepoint and other commercial data brokers, in part based on a complaint that EPIC filed at the agency in December 2004. In that complaint, Chris Jay Hoofnagle and Daniel J. Solove urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute "consumer reports" for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Furthermore, EPIC argued that it is incumbent upon the Commission to analyze whether the sale of these dossiers circumvents the Act, giving businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.

Some dossier products, such as the company's AutoTrackXP report, are sold without complying with the substantive and procedural protections in the Fair Credit Reporting Act, a 1970 law that broadly regulates the compilation, use, and dissemination of "consumer reports."

AutoTrackXP reports contain Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; Uniform Commercial Code filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; "other people who have used the same address of the subject," "possible licensed drivers at the subject's address," and information about the data subject's relatives and neighbors. They are similar in scope and in use to standard credit reports normally protected by the Act. By selling them without the Act's protections, ChoicePoint is subverting the policy goals of federal information privacy law.

EPIC argued that companies like ChoicePoint are returning people to a pre-Fair Credit Reporting Act era, one marked by "unaccountable data companies that reported inaccurate, falsified, and irrelevant information on Americans, sometimes deliberately to drive up the prices of insurance or credit.

Later in December 2004, Choicepoint answered the EPIC letter, disputed charges, and called for a national debate. EPIC responded by challenging the company to a public debate.

In February 2005, EPIC supplemented the Choicepoint complaint. The supplemental letter raises three additional issues relevant to the rise of commercial data brokers. First, an article written by Robert O'Harrow Jr. of the Washington Post quoted Choicepoint representatives saying that the company acts like an "intelligence agency" and that the data industry should be subject to new regulations because of how personal information is being used. O'Harrow's article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers' data be accurate and their
practices accountable to the public.

Second, the letter included a dialogue from Declan McCullagh's Politechbot.com mailing list concerning the December 2004 complaint. A list message from a private investigator who uses Choicepoint noted that the company maintains an audit trail of clients who access personal information. The EPIC letter points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial data broker has turned in a user for prosecution as a result of an audit showing prohibited use of the service.

Last, the letter included a transcript of a recent television broadcast, "Someone's Watching," that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial data broker to access a stranger's Social Security Number, employment details, and other information without any legal justification.

Also in February 2005, Choicepoint announced that the company sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft. EPIC urged the company to make available to those whose personal information was negligently disclosed the same information made available to the crooks. "It is not only a matter of fairness, but also a critical public safety concern that these individuals have in their possession the same information about them that you gave to criminals," said the February 18 letter from EPIC.

California police have reported that the criminals used the ChoicePoint data to make unauthorized address changes on at least 750 people, and investigators believe that personal information of up to 400,000 people nationwide may have been compromised.

Choicepoint's Response to the Sale of Information to Criminals is Inadequate

In an article forthcoming in the University of Illinois Law Review, Daniel Solove and Chris Hoofnagle argue that Choicepoint's response to security problems is inadequate:

In light of Choicepoint's sale of personal information to criminals, the company has announced that it, "will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes."

We think ChoicePoint's reforms are inadequate to address the privacy implications of the commercial data broker industry. First, ChoicePoint's reforms do not bind the company's competitors, and so other commercial data brokers can continue to sell SSNs and other personal information. Jonathan Krim reported recently that, "So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multi-tiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud."

Second, Choicepoint is still going to sell its unregulated "public records" reports to small businesses, albeit with the SSN or driver license "truncated." Large businesses and law enforcement will still be able to obtain the full report with sensitive information. It is not clear how the SSN will be truncated. Some companies obscure the first five digits, while others block the last four. Without a full redaction of the SSN, small businesses it may be able possible to "reverse-engineer" the system, and obtain the full identifier. Why not completely eliminate the SSN from the report, rather than truncate it and risk that the user can piece the SSN together from several sources?''

Third, these public records reports sold by Choicepoint have been shown to be highly inaccurate. According to a report by Pam Dixon of the World Privacy Forum, Choicepoint's public information reports have a very high error rate. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon's initial findings are supported by anecdotal stories of other individuals who have obtained their unregulated ChoicePoint reports. Elizabeth Rosen, a victim of the Choicepoint privacy breach, found that five of the six pages of her report contained errors. Rosen's report erroneously indicated that she was the officer of businesses in Texas, that she maintained a private mail box at "Mailboxes Etc.," and that she owned businesses, including a "Zach's Cheese and Deli." Privacy researcher Richard Smith obtained his Choicepoint report and wrote that his report "contain[ed] more misinformation than correct information." Deborah Pierce's National Comprehensive Report from ChoicePoint falsely indicated a "possible Texas criminal history."

Fourth, individuals will have access, but not correction rights with respect to Choicepoint's unregulated public information reports. Choicepoint claims that they can't cannot correct these reports because they are generated from public records. However, this claim is deceptive--the problem is that Choicepoint is mixing up public record information between individuals. The public records are correct, but they are attached to people to whom they do not pertain. As mentioned earlier, Deborah Pierce's Choicepoint report indicated that she might have a criminal record in Texas. The criminal record itself may be accurate, but the record does not pertain to Deborah Pierce.

Fifth, nothing binds Choicepoint to its promise to maintain its reformed policies. In recent years, many large companies including eBay.com, Amazon.com, drkoop.com, and yahoo.com changed users' privacy settings or altered privacy policies to the detriment of users. Choicepoint is legally in a better position to renege on its promises, as it does not acknowledge a direct relationship with consumers that could be the basis of a legal action. Choicepoint's "consumers" are the businesses that buy data from the company.

Sixth, Choicepoint still is reserving the right to sell "sensitive" personal information to businesses in a large number of contexts. Choicepoint's release states that sensitive information will be sold to "[s]upport consumer-driven transactions where the data is needed to complete or maintain relationships . . .[p]rovide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships . . . [a]ssist federal, state and local government and criminal justice agencies in their important missions." These categories articulated by Choicepoint are broad and ill-defined. What specifically falls under "consumer-driven transactions"? When is data "needed to complete or maintain relationships?" Under this standard, Choicepoint can decide what a consumer benefit is. In the past, Choicepoint has broadly defined (pdf) "consumer benefit," explaining that the company would not let people opt-out of information sale because, "[w]e feel that removing information from these products would render them less useful for important business purposes, many of which ultimately benefit consumers." Simply put, Choicepoint's idea of what benefits consumers differs from what consumers and consumers advocates think benefits them.

Seventh, the Choicepoint policy allows the company to sell full reports for anti-fraud purposes. While in theory this exception seems appropriate, almost any transaction can have some fraud risk. If a broad fraud exemption is maintained, it will allow the sale of reports even when the fraud risk is minimal or a proxy for wishing to collect information for some other purpose.

Finally, Choicepoint's proposal does not at all limit sale of personal information to law enforcement. The company continues to sell personal information to 7,000 federal, state, and local law enforcement agencies.

Commercial Data Brokers Grilled at California Hearing

California State Senator Jackie Speier put Choicepoint, LexisNexis, and Acxiom in the hot seat in a hearing before the State's Senate Banking Committee on Wednesday, March 30, 2005. Speier, who chairs the committee, asked a series of hard-hitting questions, probing why the company did not disclose their data breach sooner and how Choicepoint's systems could be fooled by relatively unsophisticated criminals. For some time, Choicepoint's has used fear to promote its business model, saying that the company prevents predators from harming children and that many missing children have been found with the company's database. But Speier wasn't fooled by the company's public relations strategy--she asked Choicepoint what percentage of their actual business comprised finding lost children. Choicepoint could not immediately answer the question.

Speier also expressed skepticism concerning the data brokers' definition of "sensitive" information, which means Social Security Numbers and drivers license numbers. However, when these same identifiers appear in public records, LexisNexis not consider them sensitive, and sells them without restriction. Speier remarked that the identifiers were "indeed sensitive to most people in this nation...[the commercial data brokers' definition of "sensitive"]...doesn't reflect reality."

The hearing began with testimony from Elizabeth Rosen, a California nurse whose information was sold to criminals by Choicepoint. Rosen explained in detail her frustration with Choicepoint, because the company would not provide her with her full profile. A portion of her file that she did receive had errors on almost every page, including multiple incorrect addresses; that she owned companies, including a deli; and that she maintained a box at Mailboxes Etc. Senator Lowenthal asked Choicepoint why the company wouldn't give Rosen the same information the company sold to criminals, but the Choicepoint representative wouldn't directly answer the question.

EPIC's testimony before the committee focused on three issues. First, EPIC emphasized that the legislature should approach the commercial data broker issue primarily as a privacy problem rather than a security issue. Even if Choicepoint and other sold personal information in a secure way, the base problem is that the company continues to sell personal information to a wide variety of businesses without providing individuals with substantive rights.

Second, EPIC highlighted the difference between Choicepoint's regulated information services, such as employment and tenant screening services, and the company's non-regulated "public records" reports. It is the unregulated reports that are being abused, and legislative attention should be focused on these information products. EPIC warned legislators that Choicepoint plays a "shell game" with their products--Choicepoint doesn't always specify in policy debates whether they are discussing their regulated or unregulated reports, thus confusing the public and lawmakers.

Finally, EPIC suggested that California legislators take swift action to address databrokers following a scheme authored by George Washington University Law School Professor Daniel Solove and EPIC's Chris Hoofnagle.

At the hearing, ChoicePoint Vice President for Data Acquisition and Strategy, Don McGuffey, testified that:

"Approximately 60 percent of ChoicePoint's business is driven by consumer initiated transactions, most of which are regulated by the FCRA. Consumer driven transactions include not only pre-employment screening and insurance underwriting services, but also include tenant screening services, facilitating the delivery of vital records to consumers and the delivery of public filings for Title Insurance. These transactions are conducted as a result of a transaction initiated by the consumer.

"Nearly nine percent of ChoicePoint's business is related to Marketing Services, none of which include the distribution of personally identifiable information, but even so, are regulated by state and federal "do not mail" and "do not call" legislation.

"About five percent of ChoicePoint's business is the distribution of data to support local and federal law enforcement agencies in pursuit of their mission.

"Nearly six percent of our business supports law firms, financial institutions and general business to help mitigate risk through data and authentication solutions including litigation support and providing information needed to collect lawful debts.

"The final 20 percent of our business sells software and technology services that do not include the distribution of personally identifiable information.

Choicepoint apologized for selling personal information to criminals, and announced a series of reforms. The company is no longer going to sell "sensitive" personal information to small businesses. The company will still sell its full reports to big businesses and federal, state, and local law enforcement agencies (Choicepoint estimates that it has 100,000 clients, including contracts with 7,000 law enforcement agencies). Small businesses will still be able to buy Choicepoint reports, but it appears that Social Security Numbers will be truncated in some fashion. The company also announced that they are working on a system to provide access to all if its information products. However, individuals will not be able to correct their "public records" reports. Choicepoint also announced that the company could automatically redact SSNs that appear in public records.

Pam Dixon of the World Privacy Forum gave a preview of a report on commercial data brokers that reveals a very high error rate in personal information reports. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon also warned legislators that companies are using "anti-fraud" loopholes in privacy law to justify expansive information use.

ChoicePoint Sells Personal Information on Latin Americans to the American Government

In April 2002, EPIC obtained documents under FOIA that indicated that the Immigration and Naturalization Service (INS) had purchased personal information from the national ID databases of several Latin American countries. ChoicePoint, a data brokerage company, has a contract with INS to provide citizen registry, motor vehicle, and other information for Brazil, Argentina, Mexico, Columbia, and Costa Rica.

In April 2003, Jim Krane of the Associated Press wrote an article about the sale of this information that ran in newspapers internationally. From there, the documents sparked inquiries in Mexico and other Central and South American countries regarding the sale of foreign citizens' personal information to the US government by information broker ChoicePoint.

Latin American privacy experts claim that the acquisition of the information by ChoicePoint may have been illegal, and that the sale infringes on national sovereignty. Costa Rican, Nicaraguan, and Mexican authorities have decided to investigate the matter, and the Mexican Federal Electoral Institute filed a criminal complaint against persons who have sold voter data to ChoicePoint.

One group of documents obtained from the Immigration and Naturalization Service (INS) shows that ChoicePoint offered a contract for unlimited direct access to international databases for a $1 million fee. Other documents obtained from the Department of Justice Management Division show that the agency entered into an $11 million contract with ChoicePoint for fiscal year 2002.

Investigative reporter Greg Palast has extensively covered the sale of personal information by ChoicePoint's subsidiary, DBT Online, to the Florida government. The information was used to scrub voter rolls of ineligible voters--individuals who had committed felonies. Palast found that DBT's records contained numerous errors, resulting in the exclusion of many voters. Most of the excluded voters were poor or minorities.

Recent Developments

In May 2003, Rabbi Joel Levine brought suit in the U.S. District Court for the Southern District of Florida against ChoicePoint for violation of the Driver's Privacy Protection Act (DPPA). (Levine v. ChoicePoint, No. 03-80491.) That law requires that a state obtain express consent from an individual before motor vehicle department records can be sold for direct marketing or other purposes. Levine alleged that ChoicePoint knowingly obtained personal information from the Florida department of motor vehicles for resale to others, in violation of the DPPA. A similar suit was brought against Lexis-Nexis. (Levine v. Reed Elsevier, No. 03-80490). Levine voluntary dismissed both suits, and the cases were closed in 2003.

A similar action was filed on May 29, 2003 titled Brooks, et al v. Auto Data Direct, et al, No. 03-61063. That action alleges violations of the DPPA against ChoicePoint, company's subsidiaries, and a number of other private-sector data sellers, including Experian, Polk, Seisint, Acxiom, and Reed Elsevier.

Documents filed in a federal lawsuit in March 2003 in the Northern District of Georgia indicate that ChoicePoint is constructing a "Central Biometric Authority." According to the complaint filed by International Biometric Group and ChoicePoint's answer, the central biometric authority is intended to perform "secure and standardized acquisition, matching, and indexing of biometric data." This biometrics database appears to be in development for ChoicePoint's expanding employee and volunteer background check services.

Senator Ron Wyden (D-OR) has introduced 108 S. 1484, the Citizens' Protection in Federal Databases Act. The bill would require the Departments of Justice, Defense, Homeland Security, Treasury, Central Intelligence Agency, and the Federal Bureau of Investigation to submit a report to Congress on use of private-sector databases, or lose funding for purchasing personal information from companies such as ChoicePoint and Lexis-Nexis.

FOIA Lawsuit

On June 22, 2001, EPIC submitted Freedom of Information Act requests to the Department of Justice, Federal Bureau of Investigation, United States Marshals Service, Drug Enforcement Agency, Immigration and Naturalization Service, Internal Revenue Service, and to the Bureau of Alcohol, Tobacco, and Firearms for agency records relating to "transactions, communications, and contracts concerning businesses that sell individuals' personal information." Months later, many of the agencies had not responded. Accordingly, on January 14, 2002 EPIC brought suit in the U.S. District Court for the District of Columbia against the Department of Justice and the Department of the Treasury. This case is still being litigated. It is currently styled Electronic Privacy Information Center v. Dep't of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).

Bureau of Alcohol, Tobacco, and Firearms

Drug Enforcement Agency

Release 1 of 1, July 3, 2002. This material is largely contracting documents between the agency and ChoicePoint. It contains one document where the DEA agrees to comply with the Gramm-Leach-Bliley Act.

Release 2 of 3, December 3, 2003. These documents contain a cable from the American Embassy in Mexico to several different government agencies warning that a "potential firestorm may be brewing" as a result of sale of personal information by ChoicePoint.

Release 3 of 3, February 2, 2004. These documents discuss public relations strategies for the American Embassy to counter public anger surrounding the release of personal information of Latin Americans to ChoicePoint.

Federal Bureau of Investigation

Part A (3.3 MB). These documents reference a secret, sole-source contract between ChoicePoint and the Federal Bureau of Investigation's Criminal Investigative Division.

Part B (2.4 MB). These contracting documents contain discussions of the definition of "public source information," and negotiations regarding a non-disclosure agreement between the agency and ChoicePoint.

Part C (2.7 MB). These contracting documents specify that ChoicePoint employees who have access to a developing FBI facility be cleared to receive "secret" level information.

Part D (2.7 MB). These contracting documents discuss a FBI facility used with ChoicePoint located somewhere in Northern Virginia.

Part E (2.3 MB). Handwritten notes and other documents describing the non-disclosure agreement.

Release 2 of 4, April 30, 2002.

Part A (4 MB). These documents contain a memo titled: "Guidance Regarding the Use of ChoicePoint for Foreign Intelligence Collection or Foreign Counterterrorism Investigations." It analyzes law enforcement use of ChoicePoint in the context of federal privacy laws and the Attorney General's Guidelines. The memorandum rationalizes use of private-sector databases as the "least intrusive means" of collecting personal information and concludes that ChoicePoint can be used for foreign intelligence and counterintelligence investigations. A presentation titled "The FBI's Public-Source Information Program Fact Versus Fiction" highlights the agency's access to property records, professional licenses, news articles, driver and DMV records, census records, and credit headers. It lists ChoicePoint, Westlaw, Lexis Nexis, Dun and Bradstreet, and credit reporting agencies as sources for this information. Reliance on these databases has increased by 9600 percent since 1992, according to the presentation. However, one unnamed credit reporting agency is no longer selling credit header information to law enforcement.

Part A (2.29 MB). These documents include: 1) a 34-slide Choicepoint powerpoint presentation titled, "A Partnership for the New Millennium." The entire presentation, except for slides that only have a Choicepoint logo, have been redacted by the FBI. 2) A brochure discussing Choicepoint's ability to detect fraudulent businesses. 3) A Choicepoint report discussing information collection, including e-mail account information, employment screening, driver records, drug testing, military documents, voter registration information, and marketing information. 4) A Choicepoint report discussing Social Security Numbers.

Part B (1.5 MB). A 34-page memo discussing the types of business information that may be available to Choicepoint.

Part C (1.3 MB). A 24-page memo on "The Information Industry," entirely redacted; a memo discussing international data; a memo discussing drug testing in detail; and an announcement of the FBI's access to Choicepoint.

Release 4 of 4, February 2006.

Part A (1.1 MB). This is a "Vaughn Index," that explains the context and reasons for withholding information from documents in Part B and C below.

Part B (2.3 MB). This disclosure contains interesting analysis concerning use of Choicepoint for counterintelligence purposes. It also has a memo evaluating Choicepoint as a provider for information.

Part C (5.1 MB). This disclosure mainly contains contracting information from the FBI.

Immigration and Naturalization Service

Release 1 of 1, March 25, 2002. These documents discuss contracts between the agency and ChoicePoint and Dun & Bradstreet. They contain detailed information on what personal information the government can obtain on Latin and Central Americans. There is a discussion of "cloaking," a security measure that protects law enforcement queries from tracking by ChoicePoint.

Internal Revenue Service

Release 1 of 1, September 10, 2001. These are among the most interesting documents obtained under this FOIA request. The documents discuss the use of ChoicePoint for asset location, and Experian for credit checks on suspected tax evaders. The documents contain a "vision" for 2003 where the IRS would mirror huge amounts of personal information on agency computers in order to perform investigations.

Part D (3.8 MB). These documents describe an interactive pager service that allows Marshals to obtain ChoicePoint information wirelessly. It contains marketing materials, including newsletters written for law enforcement access to ChoicePoint.

Part E (5.3 MB). These documents contain marketing materials for ChoicePoint services that show that the company designed the databases for law enforcement. It also contains a document showing that the Marshals service runs 20,000 searches a month.

Part F (6.6 MB). These documents contain a memorandum of understanding between the Marshals Service and the Department of Justice's Management Division.

Roger Clarke, Privacy and 'Public Registers,' May 11, 1997. In this article, Professor Clarke argues that public records should not be treated differently than other files containing personal information.

Previous Top News

LexisNexis Breach Compromises Data on 310,000 Americans. Data broker LexisNexis said today that personal information on 310,000 U.S. citizens may have been stolen in a security breach announced last month. At the time, LexisNexis said the breach only affected 32,000 people. LexisNexis said its databases had been fraudulently breached 59 times using stolen passwords, allowing access to addresses, Social Security numbers, and other sensitive information. This is the latest in a recent string of data breach scandals (pdf) that have affected hundreds of thousands in the U.S. In testimony before Congress (pdf) and the California Senate, EPIC has called for the regulation of data brokers because there is too much secrecy and too little accountability in their business practices. (Apr. 12, 2005)

EPIC Testifies in California Senate on Choicepoint, Commercial Data Brokers. In testimony to the California Senate Banking Committee, EPIC West director Chris Hoofnagle argued that the Choicepoint affair is a problem of privacy, not security. Even if commercial data brokers could securely sell personal information, that would not address the underlying issue of whether the information should be sold in the first place. EPIC urged California lawmakers to act quickly to limit commercial data brokers' collection and sale of personal information. Choicepoint's testimony (2 MB PDF) detailed the company's businesses practices and efforts to remedy the sale of information to criminals. (Mar. 30, 2005)

Model Regime for Commercial Data Brokers a Top Ten Download. The Solove/Hoofnagle approach for addressing commercial data brokers is a top ten download on the Social Science Research Network. The authors have invited and continue to welcome comment on the document. (Mar. 28, 2005)

Why Choicepoint's Response to is Fraud Inadequate. In light of Choicepoint's sale of personal information to criminals, the company has announced that it, "will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes." This response is inadequate. We explain why in detail below. (Mar. 28, 2005)

Choicepoint Plays a Shell Game With its Products, Debate Must Focus on Non-FCRA Information Products. The information industry is confusing, and its complexity is allowing Choicepoint wiggle room in debates concerning its products. When asked questions regarding privacy rights, such as access to the profile and correction of errors, the company will describe its products regulated under the Fair Credit Reporting Act (FCRA), such as the Choicepoint's employment screening, tenant screening, and insurance reports. But the privacy debate surrounds the company's non-FCRA products, like AutotrackXP and other "public records" reports that Choicepoint sells to law enforcement, businesses, and private investigators. It was these non-FCRA products that probably were sold to criminals who then used them for identity theft purposes. The distinction is crucial, because individuals have very few rights to address unfair practices with the company's non-FCRA products. Accordingly, in December 2004, EPIC urged the FTC to investigate Choicepoint and declare their non-FCRA products to be "consumer reports" under the FCRA. If AutotrackXP were treated as a consumer report, individuals could exercise a series of rights currently unavailable to them. (March 28, 2005)

Groups Urge FTC to Reevaluate FTC's Position on Choicepoint. EPIC and a coalition of privacy and consumer groups urged (pdf) Federal Trade Commission Chair Majoras to reevaluate the agency's position on commercial data brokers, as it was "very much in line with the views of the companies testifying before Congress, which had leaked or sold data to criminals, but was very far from the views expressed by consumer and privacy groups." The groups noted that the FTC itself contributed to current information privacy problems by approving self-regulatory principles authored by companies like Choicepoint and by allowing the sale of "credit headers" without privacy protections. The groups have called upon the FTC to "correct these extraordinary policy blunders and urge the application and enforcement of Fair Information Practices (FIPs) to the commercial data broker industry..." (Mar. 17, 2005)

EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery. In celebration of Freedom of Information Day, EPIC has launched EPIC FOIA Notes, a newsletter that will deliver the latest revelations EPIC obtains through the FOIA. You can view the first EPIC FOIA Note÷which reports formerly classified documents showing that ChoicePoint assured the FBI it could verify legitimate businesses÷and subscribe to the newsletter here. EPIC is also proud to introduce its 2005 FOIA Gallery, which contains highlights and scanned images of some of EPIC's FOIA disclosures from the past year. (Mar. 16, 2005)

EPIC Testifies in Congress, Calls for Regulation of ChoicePoint. EPIC Executive Director Marc Rotenberg urged (pdf) lawmakers to regulate ChoicePoint and other data brokers in testimony today before a House subcommittee on consumer protection. Rotenberg testified that there is too much secrecy and too little accountability in the business dealings of data brokers, and the ChoicePoint debacle underscores the need for federal regulation of the information broker industry. ChoicePoint recently admitted (pdf) that it had sold personal information on 145,000 people to a criminal ring involved in identity theft. (Mar. 15, 2005)

ChoicePoint Self-Regulation Fails; Proposal Made to Provide Privacy, Accountability. Years ago, ChoicePoint agreed to a set of self-regulatory principles to avoid privacy regulation created by the industry-supported Individual References Services Group (IRSG). The principles offered little real privacy (pdf) as ChoicePoint opted out from giving people the right to control their data. Professor Dan Solove and Chris Hoofnagle have proposed a framework for addressing commercial data brokers as the Senate Banking Committee begins hearings to discuss ChoicePoint. (Mar. 9, 2005)

32,000 Americans at Risk After Data Broker's Security Breach. Data broker LexisNexis announced today that its subsidiary, Seisint, may have allowed criminals to access sensitive information on 32,000 U.S. citizens, including names, addresses, Social Security and driver's license numbers. Seisint is also responsible for the Multistate Anti-Terrorism Information Exchange Program (MATRIX), a controversial law enforcement data mining program that has floundered in recent months due in part to privacy concerns. Seisint's security breach comes just weeks after it was revealed (pdf) that data broker ChoicePoint sold data on 145,000 people to a criminal ring engaged in identity theft, and Bank of America announced that data tapes containing personal information on 1.2 million federal employees were either stolen or lost in late December. For more information, see EPIC's Financial Privacy page. (Mar. 9, 2005)

ChoicePoint Also Sold Personal Data to Identity Thieves in 2002. The Los Angeles Times reported that ChoicePoint, which recently admitted it had sold personal information on 145,000 Americans to identity thieves, also sold such information on at least 7,000 people to identity thieves in 2002. Last week, EPIC urged the data broker to make available to the recent victims the information that was sold to the crime ring. ChoicePoint has not yet disclosed this information. In its latest letter (pdf) to the victims, ChoicePoint merely states that information such as "name, address or Social Security number" may have been accessed by the criminals. (Mar. 3, 2005)

UPDATE - EPIC Urges Choicepoint to Give Victims Access to Records, Turn Over Profits From Bogus Sales. In a letter to the Choicepoint CEO, EPIC today urged the company to "make available to the 145,000 people the information that was sold by your company last fall to the crime ring." EPIC also urged Choicepoint to "disgorge the funds that you obtained from the sale of the data and make these funds available to the individuals who will suffer from identity theft as a result of this disclosure." EPIC concluded that "your recent security breach demonstrates the profound importance of having the Choicepoint AutoTrackXP and Customer Identification Programs databases regulated by the Fair Credit Reporting Act." (Feb. 19, 2005)

Choicepoint Snafu Widens. Commercial data broker Choicepoint has wrongfully disclosed information on more than 145,000 Americans. The warning letters sent by the company to California residents indicate that individuals are subject to a heightened risk of identity theft. In December 2004, EPIC urged the Federal Trade Commission to initiate an investigation of Choicepoint and the data broker industry under the Fair Credit Reporting Act. News of the breach has sparked calls to extend the California notice law to all states and for credit freeze legislation. (Feb. 16, 2005)

Criminals Gain Access to Choicepoint Databases. Bob Sullivan has reported that commercial data broker Choicepoint issued notices to over 30,000 California residents that their personal information may have been accessed by criminals with access to the Choicepoint's information products. Individuals outside California may have been affected too, but the company is not obligated to disclose security breaches to residents of other states. As recently as two weeks ago, EPIC again warned the Federal Trade Commission about unjustified access to commercial databases and questioned the adequacy of Choicepoint's auditing procedures. For more information, see EPIC's Choicepoint Page. (Feb. 15, 2005)

EPIC Supplements Data Broker Filings. In a follow up letter to the Federal Trade Commission, EPIC supplemented earlier filings that requested that the agency investigate commercial data brokers for compliance with the Fair Credit Reporting Act. The letter points to recent news reporting that characterizes commercial data broker Choicepoint as a "private intelligence service," and a recent television broadcast showing private investigators using a commercial data broker without legal justification. (Feb. 1, 2005)

EPIC Challenges Choicepoint to Public Hearings on Consumer Privacy. EPIC has called for hearings in Congress and before the Federal Trade Commission on the need for new privacy protections for American consumers. In a December 16, 2004 complaint to Federal Trade Commission, EPIC urged the Commission to determine whether Choicepoint, a large information broker, complies with federal privacy law and also whether it will be necessary to update the laws. Choicepoint disputed EPIC's charges but said it favored a national debate. Let the debate begin. (Jan. 5, 2005)

EPIC Seeks Investigation of ChoicePoint, Data Brokers. In a letter to the Federal Trade Commission, EPIC has urged the agency to investigate ChoicePoint and other data brokers for compliance with the federal Fair Credit Reporting Act. The letter argues that Choicepoint and its clients have performed an end-run around the FCRA, and sell personal information to law enforcement, private investigators, and businesses without substantive or procedural privacy protections. (Dec. 16, 2004)

Court Rules Secret Contract Subject to FOIA. A federal court has held (pdf) that a classified contract between the Federal Bureau of Investigation and ChoicePoint, a commercial data broker, is subject to the Freedom of Information Act. The court also rejected the FBI's request for a two-year delay for review of the contract. EPIC has obtained over 1,500 documents about ChoicePoint under FOIA, and Associate Director Chris Hoofnagle recently published a law journal article analyzing the documents. (Aug. 24, 2004)